EUVD-2022-1558

Malicious code in bioql PyPI...

CVE-2024-51754 Unguarded calls to __toString() when nesting an object into an array in Twig

Twig is a template language for PHP. In a sandbox, an attacker can call toString on an object even if the toString method is not allowed by the security policy when the object is part of an array or an argument list arguments to a function or a filter for instance. This issue has been patched in...

XSS injection in the Grid component of Sylius

Grid component of Sylius omits HTML input sanitisation while rendering object implementing toString method through the string field type...

Cross-Site Scripting (XSS)

sylius is vulnerable to cross-site scripting XSS. A remote attacker is able to inject arbitrary Javascript into a victim's browser via multiple parameters in the grid component due to a lack of input and output sanitization while rendering an object that implements the toString method through the...

Information disclosure

A sandbox information disclosure exists in Twig before 1.38.0 and 2.x before 2.7.0 because, under some circumstances, it is possible to call the toString method on an object even if not allowed by the security policy in place...

Type confusion

The SoapFault::toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service application crash, or possibly execute arbitrary code via an unexpected data type, related to a...